Overview: Software as a Service

NIST definition of SaaS:

“Software deployed as a hosted service and accessed over the internet”

 SaaS is a software solution having the code and data executing and residing on cloud.
 A user accesses the SaaS through browser.
 Remember: The cloud service consumer is a temporary runtime role assumed by a software
program when it accesses a cloud service.
 For the time being we shall assume that the browser acts as cloud service consumer when
accessing a SaaS.
 SaaS solutions eliminate the need of on-premises (data center based) applications, application
administration and data storage.
 The customer is allowed to adopt pay-as-you-go type of rental.
 SaaS offers scalability and device independent access to the SaaS solution/s.
 SaaS provider assures that the software provided is solidly tested and supported.
 The notable disadvantage of SaaS is that the data resides off premises.
 Therefore the data security is of prime importance because the customers data maybe
proprietary and business sensitive.
 The SaaS provider offers SaaS apps executing over IT resources. These resources can be from a
physical servers or a VM owned/rented by the provider.
 Each instance of a SaaS app (consumed by a user) is allocated separate set of IT-resources.
 Classes of SaaS:
o Business Logic: Connect the suppliers, employees, investors and customers.
Example: invoicing, funds transfer, inventory management, customer relationship
management (CRM).
o Collaboration: Supports teams of people work together.
Examples: Calendar systems, email, screen sharing, conference management and online
gaming.
o Office productivity: Office environment support.
Examples: Word processors, spreadsheets, presentation and database software’s.
o Software Tools: For the support of developing software and solving compatibility
problems.
Examples: Format conversion tools, security scanning, compliance checking and web
development.
 Software’s that are not suitable for public SaaS offerings (according to NIST)
o Real Time Software: They require precise response time. Due to variable response time
and network delays, these software are not suitable to be offered as SaaS. Such flight
control systems and factory robots etc.
o Bulk consumer data: When extremely large amount of data is originating physically at
the consumer’s side such as physical monitoring and patient monitoring data. It is not
feasible to transfer this data in real time over WAN to SaaS provider.
 o Critical Software: A software is labelled critical if its failure or delay in handling can
cause loss of life or loss of property. These software’s are not suitable for SaaS because
achieving a continuous acceptable reliability for critical software in public SaaS is quite
challenging due to unreliable public network based access.

SaaS Examples

 Salesforce.com SaaS for customer relationship management (CRM)

o Manage sales contacts and leads
o Centralize the contact information and project details
o The sales reports from any place any time
o Manages and syncs sales contacts and meetings with other tools such as Microsoft
Outlook.
 Taleo SaaS for human resource management (HRM)
o Recruitment tools to manage the applicants data for hiring purposes
o Performance management and tracking tools for employees evaluation
o Compensation tools for rewarding the employees according to performance
o Workforce training and professional development tools.
 ADP SaaS for payroll processing and HRM
o Cloud solution for time management, employees benefits calculation, worker
compensation and HR issues.
 Carbonite SaaS for file backups
o Provides backup services for precious business data and personal data. The data is kept
securely and redundantly.
 Microsoft Office 365 SaaS for document creation, editing and sharing
o In order to provide the documentation tools at affordable price and to compete with the
freeware solutions, Microsoft offers its flagship software suite on monthly rental basis.
o The documents are saved in cloud and are shareable among multiple users.

Software Stack

 The provider controls most of the software stack

 Application: Email
 Middleware: Software libraries, runtime environments (Java, Python)
 Service provider has admin control over application and total control over the rest of the layers
 Service consumer has limited admin control over the application and no control over the rest of
the stack
 A consumer can create, send and manage the emails and even the email accounts
 But the email provider has the absolute control over the SaaS software stack in order to perform
its duties such as provisioning, management, updates and billing in email app.
 SaaS Benefits

 Modest software tool footprint

There is no need for complex installation procedures because the SaaS applications are accessible
through web browsers. This is one of the reasons of widespread use of SaaS applications.
 Efficient use of software licenses
The license issuance and management procedure is quite efficient. A single client is issued a single
license for multiple computers. This is because the software is running directly on provider’s
infrastructure and thus can be billed and monitored directly.
 Centralized management and data
The consumer’s data is stored in cloud. The provider assures the security and availability of data.
The data seems centralized for the consumer may in fact be distributed and replicated by the
provider. Data backup is provided at possibly additional charges
 Platform responsibilities managed by providers
Consumer does not has to bother about operating system type, hardware and software
configurations, software installation and upgrades
 Savings in upfront costs
(as discussed before) the up-front costs such as equipment acquisition and hardware provisioning
etc. are avoided by SaaS consumer. The provider is responsible for operational issues such as
backups, system maintenance, security software, upgrades, troubleshooting in software, physical
security and hardware management etc

SaaS Issues and Concerns

The NIST has identified few issues and concerns about SaaS. Most of these issues are network dependency
of SaaS.

 Browser based risks and remedies

o Since the SaaS is accessed through browser installed on consumer’s device, the inherent
vulnerabilities of the web browsers do have impact over SaaS security
o Although the browsers apply encryption upon network traffic, yet various network
attacks such as brute force and man in the middle attacks are possible upon the SaaS data
o The resources leased by the consumer can be hijacked by malicious users due to poor
implementation of cryptographic features of browsers.
o If the consumer’s browser is already infected with a security threat (due to a visit to
malicious website) than later, the same browser is used for SaaS access, than the SaaS
data might get compromised.
o If a single consumer accesses multiple SaaS services using browser instances, than the
data of these SaaS instances may get mixed up
o A few suggestions by NIST:
 Uses different browsers to access each different SaaS
 Do not use the same browser for web surfing and SaaS access
 Use a VM to access a SaaS
 Network Dependence
o SaaS application depends upon reliable and continuously available network
 o The reliability of public network (internet) cannot be guaranteed as compared to
dedicated and protected communication links of private SaaS applications
 Lack of portability between SaaS clouds
o It may not be trivial to import export data among different SaaS applications deployed
over different clouds due to customized development and deployment of SaaS
applications data formats
 Isolation vs Efficiency (Security vs Cost tradeoffs)
o The provider has to make a trade off decision as to deploy separate IT-resources (such as
VM’s) for each client or concurrently server multiple clients through as single deployment
of SaaS application.

NIST Recommendations for SaaS

 Data protection
The consumer should analyze the data protection, configuration, database transaction processing
technologies of SaaS provider. Compare them with the confidentiality, integrity, availability and
compliance requirement of the consumer

 Client device/application protection

The consumer’s client device (browser running over a computer) should be protected to control
the exposure to attacks

 Encryption
Strong encryption algorithm with key of required strength should be used for each web session
as well as for data

 Secure data deletion

The data deletion through consumer’s request should be reliably done